Skip to content

Commit

Permalink
fix: heap buffer overflow found by memory check
Browse files Browse the repository at this point in the history
  • Loading branch information
haolinw committed Dec 19, 2024
1 parent 033808e commit dcf2fe4
Showing 1 changed file with 10 additions and 3 deletions.
13 changes: 10 additions & 3 deletions source/dnode/vnode/src/tsdb/tsdbCacheRead.c
Original file line number Diff line number Diff line change
Expand Up @@ -161,10 +161,17 @@ static int32_t saveOneRow(SArray* pRow, SSDataBlock* pBlock, SCacheRowsReader* p
// allNullRow = p->isNull & allNullRow;
if (!p->isNull) {
if (IS_VAR_DATA_TYPE(pColVal->colVal.value.type)) {
int32_t pkBufLen = (pReader->rowKey.numOfPKs > 0) ? pReader->pkColumn.bytes : 0;
int32_t bytes = (slotId == -1) ? 1 : pReader->pSchema->columns[slotId].bytes;
uint32_t allocBufLen = bytes + pkBufLen;
uint32_t len = pColVal->colVal.value.nData;
if (allocBufLen < pColVal->colVal.value.nData) {
tsdbWarn("data length exceeded the allocated buffer length, will be truncated");
len = allocBufLen;
}
varDataSetLen(p->buf, pColVal->colVal.value.nData);

memcpy(varDataVal(p->buf), pColVal->colVal.value.pData, pColVal->colVal.value.nData);
p->bytes = pColVal->colVal.value.nData + VARSTR_HEADER_SIZE; // binary needs to plus the header size
memcpy(varDataVal(p->buf), pColVal->colVal.value.pData, len);
p->bytes = len + VARSTR_HEADER_SIZE; // binary needs to plus the header size
} else {
memcpy(p->buf, &pColVal->colVal.value.val, pReader->pSchema->columns[slotId].bytes);
p->bytes = pReader->pSchema->columns[slotId].bytes;
Expand Down

0 comments on commit dcf2fe4

Please sign in to comment.